Skip to main content

Privacy Policy

This Privacy Policy explains how CV. NGALAM INDONESIA RESERVE COFFEE ("NiR Coffee", "we", "us", "our") collects, uses, shares, and protects personal data when you visit nircoffee.id, place an order, register an account, or otherwise interact with us. We process personal data in accordance with Indonesian Law No. 27 of 2022 on Personal Data Protection ("UU PDP") and, where applicable, the EU General Data Protection Regulation ("GDPR").

Last updated: 2026-05-05

1. Data Controller

The controller responsible for your personal data is CV. NGALAM INDONESIA RESERVE COFFEE, with its registered office at Jl. Jombang No. 16, Malang, Jawa Timur 65115, Indonesia. For all privacy-related enquiries please write to hello@nircoffee.id.

2. Categories of Personal Data We Collect

We process the following categories of personal data:

  • Account data: name, email address, hashed password, phone number, account preferences.
  • Transaction data: shipping and billing addresses, order history, payment method references (Xendit transaction reference for card payments; BCA reference for QRIS and virtual-account payments; we do NOT store full card numbers), purchase amounts.
  • Device and usage data: IP address, browser type and version, device identifiers, operating system, referring URL, pages viewed, timestamps, approximate location derived from IP (city level).
  • Marketing data: marketing-email opt-in status, newsletter engagement metrics (opens, clicks) where you have consented.
  • Communications: support tickets, emails, chat messages, and any information you voluntarily share when contacting us.

3. Where We Get Personal Data

We collect personal data from three sources:

  • Directly from you when you create an account, place an order, fill in our wholesale application, subscribe to our newsletter, or contact us.
  • Automatically when you use the website, via cookies and similar technologies (see our Cookie Policy).
  • From third parties: payment confirmations from Xendit (card payments) and PT Bank Central Asia Tbk (BCA) (QRIS, virtual account); shipping status updates from couriers (JNE, J&T Express, SiCepat, AnterAja and others, brokered through KiriminAja or directly via courier APIs); aggregated audience metrics from Google and Meta where you have consented to those categories.

4. Legal Basis for Processing

We rely on the following legal bases under UU PDP (and GDPR Art. 6 where applicable):

  • Consent — for analytics cookies, marketing pixels, and direct marketing emails. You can withdraw at any time.
  • Performance of a contract — to fulfil orders, deliver products, process payments, and provide customer support.
  • Legal obligation — to retain transactional records for tax and accounting compliance.
  • Legitimate interest — to detect and prevent fraud, secure our systems, and improve our products and services, balanced against your rights.

5. Purposes of Processing

Personal data is processed for the following purposes:

  • Order fulfilment: process payment, ship goods, send transactional emails (order confirmation, shipping updates, delivery confirmation).
  • Account management: authenticate you, store your preferences, allow you to view past orders.
  • Marketing (only with your consent): send newsletters, promotional offers, and personalised product recommendations; measure ad campaign performance.
  • Analytics: understand aggregate usage patterns, improve site performance, and inform product decisions.
  • Fraud prevention and security: detect suspicious activity, protect against unauthorised access, defend our systems and customers.
  • Legal compliance: respond to lawful requests from authorities; meet tax, accounting, and consumer-protection obligations.

6. Third-Party Processors

We share personal data with the following processors, each acting under our written instructions and bound to confidentiality and security obligations:

  • Google LLC — Google Analytics 4 (analytics), Google Maps (store locator), Google Fonts (typography). Jurisdiction: United States.
  • Meta Platforms, Inc. — Meta Pixel (advertising measurement). Jurisdiction: United States.
  • Xendit Pte. Ltd. — credit / debit card payment processing and card refunds. Jurisdiction: Singapore / Indonesia.
  • PT Bank Central Asia Tbk (BCA) — QRIS and virtual-account payment processing and refunds. Jurisdiction: Indonesia.
  • KiriminAja — shipping aggregator (rate calculation, label generation, tracking). Jurisdiction: Indonesia.
  • Courier providers — JNE, J&T Express, SiCepat, AnterAja, and others, for last-mile delivery. Jurisdiction: Indonesia.
  • Amazon Web Services, Inc. — infrastructure hosting (compute, database, storage, content delivery). Jurisdiction: United States, with regional deployment in Singapore (ap-southeast-1).

7. International Data Transfers

Some of our processors are located outside Indonesia, including in the United States and Singapore. When we transfer personal data abroad, we rely on safeguards permitted by UU PDP, including the processor's contractual commitments to provide an adequate level of protection. For Google and Meta, we additionally rely on their published data-processing addenda. You can request a copy of our cross-border transfer documentation by emailing hello@nircoffee.id.

8. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law:

  • Order and invoice records: 7 years from the date of the transaction (Indonesian tax and accounting requirements).
  • Account data: until you request deletion. After a deletion request, identifiable data is anonymised within 30 days; aggregated, non-identifiable analytics may be retained.
  • Marketing data: 2 years after your last interaction (open, click, purchase). Inactive subscribers are removed automatically.
  • Consent records: kept for as long as the underlying account or transaction is retained, plus the legally required retention period.
  • Support correspondence: 3 years from the last interaction.

9. Your Rights Under UU PDP

Indonesian Law No. 27/2022 grants you the following rights with respect to your personal data:

  • Right of access — obtain confirmation of whether we process your data, and a copy of that data.
  • Right of rectification — request that inaccurate or incomplete data be corrected.
  • Right of erasure — request deletion of your data, subject to legal retention obligations.
  • Right to restrict processing — ask us to limit how we use your data while a complaint is investigated.
  • Right to data portability — receive your data in a structured, commonly used, machine-readable format.
  • Right to withdraw consent — at any time, without affecting the lawfulness of prior processing.
  • Right to lodge a complaint — with the Indonesian Ministry of Communication and Informatics (Kominfo) or, where applicable, your local supervisory authority.

10. How to Exercise Your Rights

To exercise any of the rights above, please email hello@nircoffee.id with the subject line [DATA REQUEST] followed by the type of request (e.g. [DATA REQUEST] Access). We will acknowledge receipt within 7 working days and respond substantively within 30 days, as required by UU PDP. We may need to verify your identity before fulfilling certain requests; see our Data Requests page for the full process.

11. Security

We use industry-standard technical and organisational measures to protect personal data, including encryption in transit (TLS 1.2+), access controls, principle-of-least-privilege for staff accounts, audit logging, and regular review of our processors. No system is perfectly secure; if we discover a breach affecting your personal data, we will notify you and the relevant authority in accordance with UU PDP timelines.

12. Children

Our services are intended for users aged 18 and over. We do not knowingly collect personal data from children under 18. If we learn that we have collected such data, we will delete it promptly. If you believe a child has provided personal data to us, please contact hello@nircoffee.id.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes are signalled by bumping the version date at the top of this page; existing users will be prompted to re-consent on next sign-in or next visit. Non-material changes (e.g. typo fixes, contact-detail updates) take effect immediately.

14. Contact

Questions, complaints, or requests regarding this Privacy Policy should be addressed to: CV. NGALAM INDONESIA RESERVE COFFEE, Jl. Jombang No. 16, Malang, Jawa Timur 65115, Indonesia. Email: hello@nircoffee.id.

15. Effective Date

This Privacy Policy is effective as of 2026-05-05.

Cookies & Privacy

We use cookies for essential site functions, analytics, and marketing. You can accept all, reject non-essential, or customize your choice. See our Privacy Policy and Cookie Policy for details.